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Abstract. We consider representations of algebraic tori T n (F 9 ) over finite fields. We 
make use of normal elliptic bases to show that, for infinitely many squarefree integers n 
and infinitely many values of q, we can encode m torus elements, to a small fixed overhead 
and to m <p(n)-tuples of F 9 elements, in quasi-linear time in log q. 

This improves upon previously known algorithms, which all have a quasi-quadratic 
complexity. As a result, the cost of the encoding phase is now negligible in Diffie-Hellman 
s ! cryptographic schemes. 

co 

1. Introduction 

Multiplicative groups denned by finite fields F* n are of first importance in numerous 
applications, especially in discrete-log based public key cryptography. In this field, Diffie 
^ and Hellman's seminal paper [DH76] opened the way to their use in numerous cryptographic 

standards in the eighties. It turns out that elliptic curves are often prefered today, since 
there exist subexponential algorithms to solve the discrete logarithm problem in finite 
fields [Sch93]. But F* n -subgroups of order & n (q), where $ n denotes the n-th cyclotomic 

\Q polynomial (the minimal polynomial over Q of e~), has reattr acted attention since the 

C*~) publication of Lenstra and Verheul's XTR scheme in 2000 [LVOO] . 

Lenstra and Verheul noticed that in the very particular case n = 6, working in the 

F x 6 -subgroup of order ^e(q) = q 2 — q + 1 can be done with a F x 2 arithmetic, whereas 
Q\ q q 

the best way to break the system remains to solve discrete logarithms problems in F* 6 . 

Certainly, this yields reasonably competitive implementations. But the most surprising is 

that xtr subgroups are, up to symmetry, generated by the relative trace Tr F / F . As 

q°l 

a consequence, we can encode them with only two elements of ¥ q , with time complexity 
^ equal to log 1+ °'- 1 ^ q elementary operations. 



In this paper, we exhibit for n > 6, n fixed, encodings that can be computed very 
efficiently, that is with log 1+o( ' 1 ) q bit operations too. To this purpose, we start from the 
interpretation of XTR-subgroups as algebraic tori, due to Rubin and Silverberg [RS03], and 
the explicit encoding proposed by van Dijk and Woodruff [DW04]. 

Algebraic tori over ¥ q are algebraic groups defined over ¥ q that are isomorphic to some 
(G m ) d over F g , where G m denotes the multiplicative group and d is the dimension of the 
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torus. Algebraic tori involved here are 

T n (¥ q ) = (x E F*„ : N ¥qn/F (x) = 1 whenever F,cFC ¥ q n , F a field} . (1.1) 

These are algebraic varieties of dimension d = (p(n), where ip is the Euler-totient function. 
It turns out that in terms of group, T n (¥ q ) is a subgroup of order $ n (q), that is T n (¥ q ) = 
{x £ F*„ : x® n ( q > = 1} . An efficient rational parameterization of these tori with (p(n)- 
tuples instead of n-tuples would thus allow the same security as in F*», but a reduced 
communication cost. Even though practical constructions exist for particular values of 
n (for instance, 2, 3 or 6 with LUC [SL93], xtr[LV00] or ceilidh[RS03]), the rationality 
or stable rationality of such structures for every n has been a concern for several years 
now [Vos91]. 

A nice workaround proposed by van Dijk and Woodruff [DW04] consists in adding to 
the torus T n (¥ q ) some well chosen finite fields and mapping the whole set into another 
product of finite fields, 

d:T n (¥ q )x H F*- H F*, (1.2) 

d | n d\n 
fj,(n/d)=-l n(n/d)=+l 

where \x is the Moebius function. This bijection enables to compactly represent m elements 
of T n (¥ q ) with roughly rtvp(n) elements in ¥ q for large enough m. For well chosen q and 
re, mainly re a product of distinct primes and q of maximal order modulo these primes, 
evaluating 6 requires at least n 3+0 ^ log 2 " 1 " *- 1 - 1 q elementary operations. 

In the present work, we observe that the heaviest part of the complexity comes from 
exponentiations in ¥ q n to powers with sparse decomposition in basis q and we succeed 
in speeding up the algorithm with the help of a new representation of field extensions. 
Couveignes and Lercier recently constructed a new family of normal bases, called normal 
elliptic bases [CL09] . They allow to perform low cost arithmetic in ¥ q n and in the context 
of tori this yields encodings with a logq smaller computational cost. In order to reach this 
complexity, we need inputs q and n such that § e (q) and $/(<?) are relatively prime for any 
distinct divisors e and / of n. This is not a big restriction in applications, since there are 
infinitely many n and q such that this condition holds. 

It is worth to notice that the encoding cost becomes negligible in regard of the major 
cost in many Diflie-Hellman cryptosystems, n 2+ °^ log 2+o( - 1 * ) q bit operations, due to expo- 
nentiations in ¥ q n. This is particularly interesting since in cryptographic applications q 
tends to be a large number and n rather small. 

We may also remark that these ideas can be easily adapted to the improved variant of 9 
introduced by Dijk et al. in 2005 [DGP + 05]. They substitute tori of small dimensions for 
the finite fields ¥ q d in Eq. (1.2), but all the calculations still take place in ¥ q n and can be 
sped up thanks to normal elliptic bases. 

Outline. In Section 2, we present some background materials about algebraic tori encod- 
ings. Section 3 outlines some nice cyclotomic properties of these algorithms and shows how 
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the use of a normal elliptic basis can yield a log q speedup. Section 4 discusses some of the 
cryptographic applications of these mappings. 

2. Explicit Algebraic Tori Encodings 

Van Dijk and Woodruff first proposed an algorithmic way to encode efficiently a torus 
T n (¥q), modulo some small constraints on q and n [DW04]. 

2.1. Principles. We start from the embedding T n (¥ q ) ¥ q and we complete both sides 
with the missing parts in order to create a bijection. 

From <Z n — 1 = lid I n > we nave — Ud\ n T d(^q)- Van Dijk and Woodruff first add 
the product Y\ d i n d _^ n Td(¥ q ) to the left hand side of the embedding. Then, they identify 
factors of the form F x d with d \ n in this expression. At this step, we may have to add some 
newer tori, of smaller dimension. As a result, this will modify the right hand side too. But 
again, we identify there factors of the form F x d . After enough such iterations, this yields a 
bijection 9 (c/. Eq. (1.2)). 

The domain of this bijection is much larger than T n (¥ q ), but in the case where we have 
m elements of T n (¥ q ) to encode, we can nevertheless recover a quasi optimal encoding rate. 
We refer to Section 4.1 for details. 

Example. Let us see how it works for n = 15. We have 

Ti(F q ) x T 3 (¥ q ) x T 5 (¥ q ) x T 15 (¥ q ) ~ F x 15 . 

So, (Ti(F,) x T 3 (F,)) x (Ti(¥g) x T 5 (F 9 )) x T 15 (¥ q ) ~ F x 15 x Ti(F ? ), hence the bijection 

F x x F* x T 15 (¥ q ) ^ F x 15 x F x , 

since 

Ti(¥ q ) ~ F x , T 3 (¥ q ) x Ti(F 5 ) ~ F x and T 5 (¥ q ) x Ti(F 5 ) ~ F x . 

Let us remark that there is no guarantee that the & d (q)'s are coprime, and thus this 
bijection may not be a group isomorphism. 

2.2. Explicit Encodings. We now show how we can explicitly construct the bijection 6. 
We can obtain its inverse in the same way, but for the sake of simplicity, we omit details. 

For all d \ n, call U d the smallest positive integer such that 

Ve\d, V/ | d with e^f, gcd U e (q), = 1- (2-1) 

For e\d\n, let furthermore y dfi = gcd ($ e (g), (<? d - l)/f7 d ) and z d)C = gcd($ e (g), J7 d ). Let 
finally w^, w^e and u<f,e> v dfi be the coefficients in Bezout's relations 

~T7 W d + / v w rf,e = 1 and u d,e H V d e = 1 . (2.2) 

Ud Ud,e Vd.e Z de 

e\d 
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With the notations above, we have the following bijections, for all d \ n, 

F^Z/C/rfZxJJZ/^Z and Z/U d Z A J] Z/z^Z . 

e\d e\d 

These two successive bijections give a full decomposition of each ¥ q d into 

e\d ) \e\d J 

The first bijection is a canonical bijection given by the Chinese remainder theorem, 
whereas the second one is non-canonical and can be performed by a table lookup. Van 
Dijk and Woodruff have proved that these tables are of reasonable size when some technical 
conditions are satisfied by n and q, mainly n being a product of distinct primes and q of 
maximal order modulo these primes. 

The idea is now to give a decomposition of both sides of the bijection 9 and to identify 
the small groups on each sides. The same groups appear in a different order, except 
T n (¥ q ) which is mapped into Z/y njn Z x Z/Z„, jn Z. For each d\n, d 7^ n, we identify 
lie 1 d z / z rf,e^ — ► I\ e \d Ij / z Pe(d),e' z where p e is the bijection 

p e : {d : e \ d\n, /j,(n/d) = 1} — > {d : e \ d\n, fi(n/d) = —1} . 
All in all, we obtain Algorithm 1. 



Algorithm 1: Computation of 9. 
Input: x E T n (F g ) and x d E F* d for all d \ n such that p{n/d) = —1. 
Output: Xd E F* d for all d \ n such that p{n/d) = 1. 

1 foreach d \ n such that p{n/d) = — 1 do 

2 Compute Xd 1—* x d q 1 ^ c/d j the canonical map F* d — > Z/£/dZ . 

3 Compute x d q ~ 1 ^ Ud 1— > (Z die ) e | d) the table lookup Z/£/ d Z — ► FJe | d ^l z A,e^ ■ 

4 Map (Z d , e ) e | d h+ (Z Pe(d)>e ) e | d with Z pc(rf)ie = (^^^-^^.^^.^^W/^eW.e, that is 
ma P ]l e |rf Z / z rf,eZ -> n e |d Z /V(rf),e Z - 

5 end 

6 Compute Z n , n = x*™W/ z «.« E Z/z p{n)jn Z. 

7 foreach d \ n such that (i(n/d) = 1 do 

Compute (Zd, e ) e |d h-> Z d , the table lookup IlpeK)=£2,e | d Z/zd', e Z — > Z/t/ d Z. 

Compute z d = n„(«0=*e| dC^^'"^' T« (9) ^'* /w " € F* . 

10 end 

11 Multiply X n by xM^n.n/l/n.n. 
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Example. We focus again on the case n = 15, with Ud= 1 for all d \ n which gives good 
insights of what actually happens. We sketch the construction on Fig. 1. 



x FJ, 



x Fj 




(•3) 




X15 

i) x r 3 x /;-, x :/ , , 

(*1j*3j ^5, *15) 



Figure 1. The bijection 9 for n = 15 and U\ = U3 = U5 = U15 = 1. 

We have here several simplifications. For every e\ d, y^ e = 3> e (<?) an d Zd e = 1- Then 
the groups Z/y^ e Z involved are nothing but the tori T e (¥ q ). Besides u^ e = 1 and 

v d , e = 0. Eq. (2.2) becomes Y. e \d $7(fi Wd , e = and Xl 5 is simply given by xi 5 = 

j. u '15,l ,W15,3 ,1^15,5 .^15, 15 
<T l 3 l 5 15 

An explicit computation shows that the u>i5 je 's have a convenient common denominator, 
namely 15. So, x i5 = (i?^ 3 ^ 5 ^ 5 ) 1 / 15 , where the r e 's are convenient polynomials in q, 

'n = 1, 

< r 3 = -g-2, 
r 5 = -g 3 - 2 q 2 - 3 g - 4, 
k n 5 = g 7 -3g 5 +4g 4 -5g 3 + 7g-8. 

The cost is as follows (c/. Fig. 1). 

Phase (1) : Exponentiations to the powers q — 1, $3 (g) = g 2 + q + 1 and $5(9) = 
</ 4 + g 3 + q 2 + g + 1 cost in average, respectively, ^logq, ^^logg) and 2(41ogg) 
multiplications since we perform exponentiations to power of the sizes q, q 2 and q 4 . 

Phase (2) : Negligible. 

Phase (3) : Recall the expressions of the r e 's. Exponentiation to these powers de- 
mands in average degr e x logq). So altogether: (0 + 1 + 3 + 7) x (^ logg). 
This elementary calculation shows that, in average, the cost is about 9 logq multiplications 
in ¥ q i5, that is log 2+ °^ q elementary operations. Van Dijk and Woodruff propose some 
insights to improve this cost in practice (multi-exponentiations, redundancies, etc.), but 
the asymptotic complexity remains quasi-quadratic in logq. 

2.3. Computational Complexities. We can now state more precisely the complexity of 
Algorithm 1. 

We first construct an irreducible polynomial P{X) of degree n over ¥ q , which can be done 
in n 2+0 W log 2+o(1) q operations [PR98]. Let a = XmodP(X). Then (1, a, . . . , a"' 1 ) is 
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an Fg-basis of ¥ q n. Additions, subtractions and comparisons require 0{n log q) elementary 
operations. Multiplications and divisions require n 1+ °^ log 1+ °*- 1 ^ q elementary operations. 

We also have to handle basis changes between ¥ q n and its subfields F j. There are d(n) 
such subfields, where d(n) is the divisor function. This may yield large finite field lattices 
(see Fig. 2 for an example). To simplify things, and since it does not change the complexity, 
we consider that ¥ q d elements for d \ n are given in the basis (1, a, ... , a n_1 ) too. So, we 
can easily multiply elements given in two distinct subfields. Just, in order to obtain the 
right dimensions for inputs or outputs of the algorithm, we apply to an ¥ q d element given 

in ¥ q n an F^-linear compression derived from equations of the type x q = x. This yields 
matrices A n ^ € M. n ,d(¥ q ) for the embedding ¥ d ¥ q n. Building and applying such a 

matrix costs at most n 3 multiplications in ¥ q . Since there are d(n) ~ n ^ of them, this 
yields a total cost of n 3+ °^^ log 1+ °^ q bit operations. 

Van Dijk and Woodruff outline that for "reasonable" integers n and q, mainly n a 
product of distinct primes and q of maximal order modulo these primes, table lookup costs 
are negligible and the main costs are Step 4 and Step 9 of the algorithm. They involve 
exponents which are derived from cyclotomic polynomials. Computing $ n can be done 
in time essentially equal to its size (start from complex floating point approximations of 
primitive n-th roots of unity and reconstruct <£ n from these roots). We know that this 
is a polynomial of degree f(n) with coefficients upperbounded by n d<yn ^ 2 [Erd46, Bat49], 
that is a size of at most n 1+ °^ bits. Evaluating all the <&d's at q yields exponents with 
dlogq bits and can be done with n 2+ °^ log 1+ °^ 1 ^ q elementary operations. Using finally 
the approximate growth rate ^ — n l+0<yl \ the total cost of Step 4 and Step 9 is equal 

ton^Wlog 2 ^?. 




Figure 2. Finite field lattices for n = def, a product of three distinct primes. 

3. Elliptic Periods and Algebraic Tori 

We now focus on the case Ud = 1 for every d \ n. That is no big restriction, at least for 
cryptographic purposes. Indeed Lemma 1 in Section 3.1 shows that we can find infinitely 
many values of q for infinitely many values of n working. 
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We observe in Section 3.3 that most of the exponentiations occuring in Algorithm 1 
involve exponents with a sparse decomposition in basis q. This yields interests for handling 
¥ q n with a normal basis (a, a q , . . . , a 9 ™ ) instead of a power basis (1, a, ... , a'"" 1 ), since 
with such a choice q-th powers become inexpensive. Since we need to multiply elements of 
F q n in quasi-linear time too, normal elliptic basis are a natural choice that we introduce in 
Section 3.2. 

3.1. Restrictions on n and q. For squarefree integers n, we can prove the following 
result. 

Lemma 1. For infinitely many squarefree integers n, there are infinitely many values of q 
such that Ud = 1 for all d\n. 

Proof. From Eq. (2.1), we deduce 

U d = 1 o Ve | d, V/ | d e + /, gcd(* 6 (g), = 1 . (3.1) 

The right hand side condition is always satisfied when Res($ e ,$/) = 1 and it is widely 
known that this is equivalent to the condition f ^ ep 1 with p prime and % 1 (see [Dun09] 
for a proof). This is a corollary of the following formula due to Apostol [Apo70], for 
/ > e > 1, 

Res($ / ,$ e )= 11 / (e/d) ^). (3.2) 

d\e 

p prime, 1 j^ ) =P i 

There remains to check that when / = ep 1 , there exist integers q such that Eq. (3.1) is 
satisfied. Since n is supposed to be squarefree, the only cases are / = ep, p prime. 

Case e = 1: The divisor / is then equal to the prime p and Res(<&i, <£/) = /. In 
order to have gcd(<£ e (g), &t(q)) = 1, q must not be a common root of <£ e and 3>j 
modulo /. In other words, we must have q ^ 1 mod /. 

Case e > 1: The divisor / is then equal to pe where p is a prime. Since e is squarefree, 
we know from Eq. (3.2) that Res($ e ,$ pe ) = p^^. So, q must not be a common 
root of and <£ pe modulo p. Modulo p, $ e have a decomposition into irreducible 
polynomials of same degree, and this degree is equal to p mod e (c/. [LN83]). In 
other words, $ e and $ pe can only have a common root when p = 1 mod e. In this 
case, q must not be one of the <p(e) roots of <£ e modulo p. 

The restrictions above leave infinitely many possibilities for q, at least for infinitely many 
values of n. For instance let n = p(p + 2) be the product of two twin primes and q such 
that q ^ 1 mod p and q ^ 1 mod {p + 2). Besides since p + 2 ^ 1 mod p, all the conditions 
above are satisfied. Thus we have a infinite family of numbers q suitable for each n, and 
an infinite number of possible values for n itself. □ 
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(3.3) 



3.2. Normal Elliptic Basis. We mimic here Couveignes and Lercier's construction. 

Let E/F q be an elliptic curve given by some Weierstrass model 

Y 2 Z + aiXYZ + a 3 YZ 2 = X 3 + a 2 X 2 Z + a A XZ 2 + a 6 Z 3 . 

If A is a point in E(¥ q ), we denote by ta '■ E — > E the translation by A. We set xa = xot-a 
and yA = y ° T-A- If A, B and C are three pairwise distinct points in E(¥ q ), we define 

n _ y(g - A) - j/Q4 - g) 

We define a function ua,b £ ^(-^D by ^a,b(C) = T(A, B,C). It has degree two with two 
simple poles, at o and b. 

We can prove the following identities (with Taylor expansions at poles), 

T{A,B,C) = T(B,C,A) = -T(B,A,C)-ai, 
= -T(-A,-B,-C)-a u 
ua,b + u B ,c + u c ,a = T(A,B,C)-ai, 

ua,bua,c = x A + r(A,B,C)u A ,c + T(A,C,B)u a ,b 
+a 2 + x A {B) + x A (C) , 
U %B = x A + x B - aiu A ,B + x A {B) + a 2 ■ 

Assume E(¥ q ) contains a cyclic subgroup T of order n and let I : E — ► E 1 be the degree 
n cyclic isogeny with kernel T, then the quotient E' (¥ q )/ I(E(¥ q )) is isomorphic to T. 

Take A in E'(¥ q ) such that A mod I(E(¥ q )) generates this quotient. The fiber V = 
I^ 1 {A) = X^tstI-^ + -^1 ^ s an irreducible divisor. The n geometric points above A are 
defined on a degree n extension of ¥ q (and permuted by Galois action) , that is ¥ q n is the 
residue extension of ¥ q (E) at V . 

For k £ Z/nZ, we set ut = &UkT,(k+i)T + b- (° an< i b, constants chosen such that 
^2uk = 1). Then the system = (uk(B)) ke i/ nZ is an F g normal basis of ¥ q n. 

Furthermore, there exists an algorithm with quasi-linear complexity to multiply two ele- 
ments given in an elliptic normal basis, mostly based on Eq. (3.3). It consists in evaluations 
and interpolations at d points R + kT, where R € E(F q ) — E[n] . 

All of these yields Theorem 1 . 

Theorem 1 ([CL09]). To every couple (q,n) with q a prime power and n 2 an integer 
such that n q ^ y/q, one can associate a normal basis Q(q, n) of the degree n extension of 
¥ q such that the following holds. 

• There exists an algorithm that multiplies two elements given in Q(q,n) at the ex- 
pense of n 1+ °^ log 1+ °^^ q elementary operations. 

Here n q is such that 



vi(n q ) = Vi(n) if £ is prime to q — 1, vi{n q ) = if vi(n) = 0, 



• V£(n q ) = max(2ve(q — 1) + l,2vg(ri)) if I divides both q — 1 and n. 
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This result can be easily extended to a result without any restriction on q and n (see 
[CL09]). 

3.3. Van Dijk and Woodruff's Encoding Revisited. Since U d = 1 for all d \ n, van 
Dijk and Woodruf 's encoding can be slightly simplified. It is not only a bijection, but also 
a group isomorphism. 

For every e | d, y d ^ e = ^e{l) and z d;f > = 1- Then the groups Z/y^ e Z involved are nothing 
but the tori T e (¥ q ). Besides u dfi = 1 an d v dfi = 0. So most of Algorithm 1 is reduced to 
two main phases: the decomposition IF* d — ► J3 e | d T e (F 9 ) for d any divisor of n such that 

fj,(n/d) = —1 on the left hand side and the reconstruction n e | d T e (F g ) — > F* d for d any 
divisor of n such that p,{n/d) = 1 on the right hand side. 

Now we need to know what we gain with a normal elliptic basis. Essentially, it makes 
each exponentiation to a power of q be a simple permutation of the basis. We thus gain a 
log q factor for each exponentiation of this type. It is not difficult to see that the exponents 
occuring in the decomposition phase have a sparse decomposition in basis q since they 
are products of evaluations of cyclotomic polynomials at q. But the reconstruction phase 
is more tricky because it involves exponentiations by Bezout's coefficients w& e which do 
not have such a nice decomposition in basis q. Instead, we prefer to compute Bezout's 
polynomials W d)E such that 

e\d eV ; 

Of course, w dje = W dfi (q) mod $ e (g) . 

Unlike cyclotomic polynomials, these polynomials do not have integer coefficients, but 
for squarefree integers n, and thus squarefree divisors d, all their coefficients have a common 
denominator, equal to d. More precisely, we have 

W d>e (X)= J] mod ■ (3.4) 

f\d,f¥* 

We may notice on the first hand that $y(X) _1 mod <& e (X) has got integer coefficients if 
and only if / ^ ep l with p prime and i ^ 1, since Res($ e , = 1 in that case (see proof 
of Lemma 1). On the other hand, when / = ep l , the coefficients of &f(X)~ 1 mod & e (X) 
have a common denominator, equal to /. From Eq. (3.4), and from the squarefree property 
satisfied by d, we deduce thus that the coefficients of Wd, e (X) have a common denominator 
exactly equal to d. 

We observed that the numerators R dt e of the W dy eS have small coefficients too (see 
Section 3.3.1 for a detailed analysis in the case n = pr). Consequently, we restrict q to 
prime powers such that n is invertible modulo q n — 1 and slightly modify 9 to output 
instead of x d for each d \ n such that fj,(n/d) = 1. We denote 9 this variant (c/. Algorithm 2). 
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Algorithm 2: Computation of 9. 
Input: x £ T n (¥ q ) and G F* d for all d \ n such that fi(n/d) = — 1. 
Output: Xd E F* d for all d \ n such that fi{n/d) = 1. 

1 foreach d \ n such that fi(n/d) = — 1 do 

2 Compute x d i-> (^ e (d), e ) e | d with Z pe(d)ie = a$ ~ 1)/<1>e(9) . 

3 end 

4 Set Z n)n = x. 

5 foreach <i | n such that fi(n/d) = 1 do 

Compute x d = \[ Pe (d')=d,e \ d Z^ d,e ^ £ F* 

6 e^d 

7 end 



Fortunately, we do not need any more compression matrices A n ^d with normal basis 
(c/. Section 2.3). In truth, a ¥ q d element has got a periodic set of components in any 
normal basis of ¥ q n . Consequently, compressing simply consists in truncating to the d first 
components and expanding consists in concatenating n/d copies of a (i-tuple of ¥ q elements. 
Costs are negligible. 

Before considering in detail the case n = pr a product of two primes in Section 3.3.1, and 
discuss the general case in Section 3.3.2, we focus on an explicit example, namely n = 15 
in order to compare with Section 2.2. 

Example. Recall Fig. 1 for the notations, the costs are the following. 

Phase (1) : Exponentiations to the powers &3(q) = q 2 + q + 1 and &5(q) = q 4 + q 3 + 
q 2 + q + 1 cost respectively 2 and 4 multiplications since exponentiation to a power 
of q is free (mere permutation of the basis). Exponentiation to the power q — 1 
costs an inversion, which is performed in linear time. 

Phase (2) : Negligible. 

Phase (3) : Recall the expressions of the r e 's. For instance r\§ = q 7 — 3g 5 + 4g 4 — 
5 q 3 + 7 q — 8. Exponentiation to this power demands 6x3 multiplications for the 
coefficients (6 coefficients of size at most 2 3 ) and 6 multiplications to add the 7 
monomials. The same calculation for each r e gives the global cost of Phase (3): 
3 + ((°) + (1 x 1 + 1) + (2 x 2 + 2) + (6 x 3 + 6)) multiplications and 3 inversions. 
If we remind the total found for computations without normal elliptic bases, it is a 
clear practical improvement. The most important is that asymptotically, the logq factor 
vanishes. 



3.3.1. Case n = pr with p,r distinct primes. In the case n = pr with p, r distinct primes, 
the situation is very similar to our n = 15 example (c/. Fig. 3). 
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F x 


X 


F x 




X 




Xp 






x'{ 



X 




**(«) T «-i *r(«) g-1 , (2) > a: | 



F x 




(ti, tp^t r ^t 



Figure 3. The bijection 6* for n = pr and U\ = U p = U r = U pr = 1. 

Especially, the cost of Phase (1) comes from exponentiations to the powers &p(q) and 
<J?r(<?)) that is p and r multiplications since exponentiation to a power of q is free. This 
costs n 2+ °^ log 1+0 ^^ q bit operations. Exponentiation to the power q— 1 costs an inversion, 
which is asymptotically performed in quasi-linear time. 

We now give details on the cost of Phase (3). We perform the embedding in two steps. 
First, we combine t\ and t pr on one hand and t p and t r on the other hand. Then, we 
combine the two results again to form the element x pr . We summarize this process on 
Fig. 4. 



(Ti(F 9 ) x T pr (¥ q ))x(T p (¥ q ) x T r (F,)) 

(tl , tpr) (tpj tr) 

Gi < G 2 

V2 = t U pH U r r 



yl — 1*1 b pr 




IF q P r 

x pr — V\ 1)2 



Figure 4. Reconstruction step in the case n = pr. 
So the first step consists in two mappings, 



~1 Gl -^pr where $ pr (q)ui + $ 1 {q)u pr = l 

\C\,lpr) 1 * yl — I-i r pr j 



and 



Ti(F 9 ) x Tp r (F, 
Tp(F 9 ) x T r (¥ q ) ^ G 2 C F x 



(tp, t r ) 



wli ere $ r (q)u p + $p(<?)u r = 1 
U2 — tp V 



The final recombination is 



G 1 xG 2 - F x , where 
(lft,l/2) yi 1 ^ 2 W $i(g)$ P r(g)"' L ' * p (g)* r («) 



,pr _ gPr _ l 

V\ + - — t> 2 = 1 
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The powers involved in the mappings of the first step, m, u p , u r and u pr are the eval- 
uations in q of respectively $~ r 1 mod $1, ^r -1 mod $ p , $p _1 mod $ r , ^i -1 mod $ pr . Ac- 
tually, the n-th cyclotomic polynomial has small coefficients, n 1+ °^ bits (cf. Section 2.3), 
and its computation can be done with n 2+0 ^ elementary operations. 

We would need similar magnitude results for modular inverses of cyclotomic polynomials. 
To that end, Dunand recently found such bounds. 

Theorem 2 ([Dun09]). For all p and r distinct prime numbers, 

(i) mod $i = 1/p and frf 1 mod $ p = (-l/p)(X p - 2 + 2X P ~ 3 + .. . +p- 1). 

(ii) ^ mod $i = 1 and mod 3y = Efio^' 1 v i X ' with v i G {—1,0, 1}. 

(iii) fc" 1 mod $ p = i ^f = o X * d = r ~ x mod P and % 1 mod = £ E^ -1 v i X ' 1 
with Vi < r. 

(iv) 1 mod $ r = Efio -1 ^ «i e {0, -1, +1}. 

The decomposition of u\, u p , u r and u pr in basis q is very sparse, with only -1, 0, or 1 
coefficients. The complexity of this step is thus 0{n) multiplications and few inversions in 
¥ q n, that is n 2+ °^ log 1+ °^ q elementary operations. 

The powers in the second step, v% and V2, are the evaluations in q of respectively 
$p mod $i$pr and < I ) ^ 1< I ) p r 1 mod & p & r - Their computations require the knowledge 
of <f>~ 1 modulo $i and ® pr , ^ 1 modulo $i and § pr , ^ 1 modulo <£p and $ r and fi- 
nally modulo $p and $ r . To compute inverses modulo a product of two cyclotomic 
polynomials, we make use of the Chinese remainder theorem. If $ = A mod & pr and 
$ = B mod <E>i, then 

$ = ( ■= ^r—A + -^——B 1 mod $i$ 



$1 mod $ pr mod 3>i 



And we have of course a similar formula for the second case. This yields the following 
coefficient bounds (in absolute value), 

mod $i$p r = $i (Q^ 1 mod $ pr ) ($~ x mod $ pr ) 
v v '> „ ' 

at most 1 a t most 1 =l/p 

+ ® pr (^p,, 1 mod $1) ($p 1 mod $1) mod^i^pr (3.5) 

V v ' y „ ' 

at most 1 =1 at most r 

We have such a bound for mod &i& pr too (exchange p and r in Eq. (3.5)). 

Finally V\ is the product of ^p 1 and (F" 1 modulo <I>i<I>p r . The factor 1/pr appearing 
leads us to return x" r instead of Xpy. SO the powers involved in the last step will be nv\ and 
nv2 • A very quick analysis show that the coefficients of their decomposition in basis q are 
upperbounded in absolute value by n 5 and this impacts the complexity by an additional 
but negligible penalty. The total complexity of the reconstruction phase is thus equal 
to n 2+ °( 1 ) log 1+ °^ q elementary operations. 
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As a conclusion, our variant of the bijection 9 asymptotically costs, for n = pr the 
product of two primes, n 2+ °^ log 1-1-0 ^ q elementary operations. 

3.3.2. Case of integers n with more than two prime factors. The decomposition phase 
is the easiest to quantify for general n. We have to perform exponentiations to powers 
equal to cyclotomic polynomials evaluated at q. Since we have at most d(n) = n°W such 
polynomials, since they are of degree at most n and since their coefficients have got n 1+ °^ 
bits, this yields a clear n 3+ °^ log 1+ °'- 1 ^ q bit complexity. 

The reconstruction phase involves modular inverses of cyclotomic polynomials and with 
our current knowledge, is seems very difficult to have in full generality bounds similar 
to Dunand's ones in the case n = pr. It seems, but we have no proof of this, that for 
integers n with a fixed number of prime factors, the coefficients of these cyclotomic inverses 
are upperbounded in absolute value by a fixed power of n. And so, the reconstruction 
complexity would not exceed the complexity of the decomposition phase. 

For more general integers n, it is very hard to state something, except of course that the 
complexity is no longer quasi-quadratic, but quasi-linear, in log q . 

4. Cryptographic Applications 

In [DW04], van Dijk and Woodruff give several applications, including a Diffie-Hellman- 
like multiple key exchange. We show here how this scheme can be adapted to our case. 

4.1. Key agreement. We denote in the following 9 : T n (¥ q ) x II~ — ► Il + , the bijection 9 
initially defined by Eq. (1.2). 

Let us assume that Alice and Bob need to agree not on a single key but on a sequence 
l^i^m of keys, with a Diffie-Hellman based system. Indeed, after having agreed on a 
generator g of T n (¥ q ), each of the keys will be Ki = g XiVi where Xi and yi will be randomly 
chosen respectively by Alice and Bob. 

Alice computes the points A4 = g Xi on the torus and after having chosen a random 
So £ IT", she computes in turn 9(Ai,Si-i) = {a^Si) for i from 1 to m. She sends the 
(oi)i^i<m an d the last output S m to Bob. So he can recover all the A^s by applying 
9 (ai, Si) = (Ai, Si-i) for i decreasing from m to 1. Finally the key is K{ = A\\ 

In this way, S m and ai, . . ., a m encode A\, . . . , A m . This encoding is optimal except 
the small overhead S m , that is negligible for a large enough m. 

Similarly, if Bob chooses To G II - and computes successively (6j,Tj) = 6(Bi, Tj_i), he 
can send {bj)i and T m to Alice, who can recover (-Bj)j by (Bi, Tj_i) = 9~ 1 {bi, Tj), for i from 
mto 1. Then Ki = Bf* gives the keys. 

4.2. Adaptation. We need to modify this system since our bijection 9 is not exactly the 
same. 

We focus here on the case n = pr but it works in the same way for more general integers 
n. We want to use the bijection given in Fig. 3. Yet what we can efficiently calculate in 
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the third step is (t±, t p ,t r , t pr ) \— > xL\ . So we are going to use the slightly different mapping 
9 and a reverse mapping 9' , 

9: T n (¥ q ) x F* x F* - F* x F*„ , and 9> : F* x F* -» T n (F g ) x F* x F* , 
(x, Xp, x r ) i ► (x-^ , x n ) , (x^ j x n ) I > (x , Xp , x r ) . 

— — — 2 2 2 

Since 9 o 9{x,x p ,x r ) is no longer equal to (x,x p ,x r ) but to (x n , x™ , x™ ), we cannot 
make a direct use of the previous Diffie Hellman scheme. We have to raise the output of 
our mappings to the 1/n-th power instead. This can be easily done by a straightforward 
exponentiation, but at cost n 2+ °^ log 2+ °^ q. 

It turns out that this cost can be decreased, but at the expense of an additional constraint 
on q. 

Lemma 2. Let n be an odd integer, let q be a prime power such that n divides q + 1 and 
denote k = (n — l)/2, then 

1/n mod {q n - 1) = Mo + Ml q + Mo q 2 + • • • + Ml 9™~ 2 + Mo g" -1 , (4.1) 

where 

k(q-l)+q %-!)-! 

Mo = and Ml = ■ 

n n 

Proof. We have 

n (mo + Mi Q + Mo q 2 + • ■ • + Mi 9™" 2 + Mo Q™" 1 ) - 1 - A; (g n - 1) = 

kq n+2 + «Mo <Z 1+n + (Mi — /c) — (/c + 1) 9 2 — «mj <? — nMo + k + 1 

^1 ■ 

The numerator of the right hand side is thus equal to 

q n (kq 2 + nfi q + n(Mi - &)) _ (^ + 1) <? 2 _ ™Mi 9 _ n Mo + ^ + 1 

and then we need to check that the coefficient of q n and the remaining part of this expression 
are both equal to zero with mo an d Mi as given above. □ 

Raising elements of ¥ q n to the 1/n-th power where 1/n is given by Eq. (4.1) can be done 
with n 1+ °^ log 2+ °^ q elementary operations with a normal basis. The global asymptotical 
cost of the encodings in the key agreement is thus in this case m times n 2+ °W log 1+o( - 1 - ) q + 
n 1 +°( 1 ) log 2+0 ( 1 ^ q bit operations. This is smaller than m times n 2+ °^ log 2 ^ 1 ) q, the cost 
of m Dime-Hellman exponentiations. 

Remark. Computing n-th roots in ¥ q n excludes even integers n in the construction, at 
least for odd prime powers q. But an easy workaround consists in working in the quadratic 
residue subgroup of Ti(¥ q ) and T2(¥ q ). This is equivalent to substitute (q — l)/2 and 
(q + l)/2 for &i(q) and $2(9) everywhere in the construction of 9. So, we are left at the 
end to compute n/2-th roots in ¥ q n and all of these do not change the overall complexity 
of the scheme. 
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